boardrider
Reputation: 6195
Working boto3 script now failing with botocore.exceptions.ClientError UnauthorizedOperation
I have a script that gathers usage data from AWS, which was working flawlessly for months.
Lately, it fails, with:
botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeRegions operation: You are not authorized to perform this operation.
Following is a minimal script demonstrating the issue:
$ python3 demonstrate_UnauthorizedOperation.py
Traceback (most recent call last):
File "demonstrate_UnauthorizedOperation.py", line 24, in <module>
regions = get_regions()
File "demonstrate_UnauthorizedOperation.py", line 11, in get_regions
ec2_responses = ec2.describe_regions()
File "/usr/lib/python3.6/site-packages/botocore/client.py", line 357, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/lib/python3.6/site-packages/botocore/client.py", line 661, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (UnauthorizedOperation) when calling the DescribeRegions operation: You are not authorized to perform this operation.
$ cat demonstrate_UnauthorizedOperation.py
import boto3, botocore
def get_regions():
region = "us-east-1"
region = "ap-northeast-1"
region = "us-west-1"
regions = dict()
ec2 = boto3.client("ec2", region_name=region)
ec2_responses = ec2.describe_regions()
ssm_client = boto3.client('ssm', region_name=region)
for resp in ec2_responses['Regions']:
region_id = resp['RegionName']
tmp = '/aws/service/global-infrastructure/regions/%s/longName' % region_id
ssm_response = ssm_client.get_parameter(Name = tmp)
region_name = ssm_response['Parameter']['Value']
regions[region_id] = region_name
return(regions)
if __name__ == "__main__":
regions = get_regions()
$ cat ~/.aws/credentials
[default]
aws_access_key_id = xxxxxxxxxxxIAJVMBEFxxxxxxxxxx
aws_secret_access_key = xxxMmperMqxxxxoR9R6ONjxx
[SoftLayer]
aws_access_key_id = xxxxxxxJ2zaY1lwbxxxxxxxxxxx
aws_secret_access_key = xxxxxFxRfagJwxxxxKnEMWLK
[qa@vestal ~]$ cat ~/.aws/client_secret.json
{"installed":{"client_id":"360000009942-umxxxxxx3mr2s03nl9g8l9odi.apps.googleusercontent.com","project_id":"amiable-shuttle-190016","auth_uri":"https://accounts.google.com/o/oauth2/auth","token_uri":"https://accounts.google.com/o/oauth2/token","auth_provider_x509_cert_url":"https://www.googleapis.com/oauth2/v1/certs","client_secret":"pxxxxxxxg-zyxx6_nxxW","redirect_uris":["urn:ietf:wg:oauth:2.0:oob","http://localhost"]}}
$
Any ideas on how to debug this failure to authenticate?
Upvotes: 0
Views: 765
Answers (1)
Kevin Seaman
Reputation: 652
You are not having a failure to authenticate, you have a failure to be authorized. The user you are running the script as needs to have the ec2:DescribeRegions IAM permission.
Upvotes: 3
Related Questions
- Exception in Boto3 - botocore.exceptions.EndpointConnectionError
- botocore.exceptions.ClientError: InvalidClientTokenId
- Botocore fails to read credentials when run as daemon.service
- python: boto3 _send_request() error
- boto3 ConnectionClosedError python
- How to solve botocore.exceptions.NoCredentialsError: Unable to locate credentials
- Boto3 botocore.exceptions.EndpointConnectionError
- Boto3 Error in AWS SDK: botocore.exceptions.NoCredentialsError: Unable to locate credentials
- Boto3: AuthFailure when trying to query AWS with EC2 Client
- Python AWS BOTO error